localstack-core 4.7.1.dev49__py3-none-any.whl → 4.10.1.dev12__py3-none-any.whl

localstack/services/s3/presigned_url.py

@@ -40,15 +40,13 @@ from localstack.http.request import get_raw_path
 from localstack.services.s3.constants import (
     DEFAULT_PRE_SIGNED_ACCESS_KEY_ID,
     DEFAULT_PRE_SIGNED_SECRET_ACCESS_KEY,
+    S3_HOST_ID,
     SIGNATURE_V2_PARAMS,
     SIGNATURE_V4_PARAMS,
 )
 from localstack.services.s3.utils import (
-    S3_VIRTUAL_HOST_FORWARDED_HEADER,
-    _create_invalid_argument_exc,
     capitalize_header_name_from_snake_case,
     extract_bucket_name_and_key_from_headers_and_path,
-    forwarded_from_virtual_host_addressed_request,
     is_bucket_name_valid,
     is_presigned_url_request,
     uses_host_addressing,
@@ -86,8 +84,6 @@ IGNORED_SIGV4_HEADERS = [
     "x-amz-content-sha256",
 ]
 
-FAKE_HOST_ID = "9Gjjt1m+cjU4OPvX9O9/8RuvnG41MRb/18Oux2o5H5MY7ISNTlXN+Dz9IG62/ILVxhAGI0qyPfg="
-
 HOST_COMBINATION_REGEX = r"^(.*)(:[\d]{0,6})"
 PORT_REPLACEMENT = [":80", ":443", f":{config.GATEWAY_LISTEN[0].port}", ""]
 
@@ -157,7 +153,7 @@ def create_signature_does_not_match_sig_v2(
         "The request signature we calculated does not match the signature you provided. Check your key and signing method."
     )
     ex.AWSAccessKeyId = access_key_id
-    ex.HostId = FAKE_HOST_ID
+    ex.HostId = S3_HOST_ID
     ex.SignatureProvided = request_signature
     ex.StringToSign = string_to_sign
     ex.StringToSignBytes = to_bytes(string_to_sign).hex(sep=" ", bytes_per_sep=2).upper()
@@ -300,7 +296,7 @@ def is_valid_sig_v2(query_args: set) -> bool:
             LOG.info("Presign signature calculation failed")
             raise AccessDenied(
                 "Query-string authentication requires the Signature, Expires and AWSAccessKeyId parameters",
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
             )
 
         return True
@@ -318,7 +314,7 @@ def is_valid_sig_v4(query_args: set) -> bool:
             LOG.info("Presign signature calculation failed")
             raise AuthorizationQueryParametersError(
                 "Query-string authentication version 4 requires the X-Amz-Algorithm, X-Amz-Credential, X-Amz-Signature, X-Amz-Date, X-Amz-SignedHeaders, and X-Amz-Expires parameters.",
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
             )
 
         return True
@@ -352,7 +348,7 @@ def validate_presigned_url_s3(context: RequestContext) -> None:
             )
         else:
             raise AccessDenied(
-                "Request has expired", HostId=FAKE_HOST_ID, Expires=expires, ServerTime=time.time()
+                "Request has expired", HostId=S3_HOST_ID, Expires=expires, ServerTime=time.time()
             )
 
     auth_signer = HmacV1QueryAuthValidation(credentials=signing_credentials, expires=expires)
@@ -451,7 +447,7 @@ def validate_presigned_url_s3v4(context: RequestContext) -> None:
         else:
             raise AccessDenied(
                 "There were headers present in the request which were not signed",
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
                 HeadersNotSigned=", ".join(sigv4_context.missing_signed_headers),
             )
 
@@ -483,7 +479,7 @@ def validate_presigned_url_s3v4(context: RequestContext) -> None:
         else:
             raise AccessDenied(
                 "Request has expired",
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
                 Expires=expiration_time.timestamp(),
                 ServerTime=time.time(),
                 X_Amz_Expires=x_amz_expires,
@@ -569,34 +565,21 @@ class S3SigV4SignatureContext:
             self._query_parameters
         )
 
-        if forwarded_from_virtual_host_addressed_request(self._headers):
-            # FIXME: maybe move this so it happens earlier in the chain when using virtual host?
-            if not is_bucket_name_valid(self._bucket):
-                raise InvalidBucketName(BucketName=self._bucket)
-            netloc = self._headers.get(S3_VIRTUAL_HOST_FORWARDED_HEADER)
-            self.host = netloc
-            self._original_host = netloc
-            self.signed_headers["host"] = netloc
-            # the request comes from the Virtual Host router, we need to remove the bucket from the path
+        netloc = urlparse.urlparse(self.request.url).netloc
+        self.host = netloc
+        self._original_host = netloc
+        if (host_addressed := uses_host_addressing(self._headers)) and not is_bucket_name_valid(
+            self._bucket
+        ):
+            raise InvalidBucketName(BucketName=self._bucket)
+
+        if not host_addressed and not self.request.path.startswith(f"/{self._bucket}"):
+            # if in path style, check that the path starts with the bucket
+            # our path has been sanitized, we should use the un-sanitized one
             splitted_path = self.request.path.split("/", maxsplit=2)
-            self.path = f"/{splitted_path[-1]}"
-
+            self.path = f"/{self._bucket}/{splitted_path[-1]}"
         else:
-            netloc = urlparse.urlparse(self.request.url).netloc
-            self.host = netloc
-            self._original_host = netloc
-            if (host_addressed := uses_host_addressing(self._headers)) and not is_bucket_name_valid(
-                self._bucket
-            ):
-                raise InvalidBucketName(BucketName=self._bucket)
-
-            if not host_addressed and not self.request.path.startswith(f"/{self._bucket}"):
-                # if in path style, check that the path starts with the bucket
-                # our path has been sanitized, we should use the un-sanitized one
-                splitted_path = self.request.path.split("/", maxsplit=2)
-                self.path = f"/{self._bucket}/{splitted_path[-1]}"
-            else:
-                self.path = self.request.path
+            self.path = self.request.path
 
         # we need to URL encode the path, as the key needs to be urlencoded for the signature to match
         self.path = urlparse.quote(self.path)
@@ -715,7 +698,7 @@ class S3SigV4SignatureContext:
         if not (split_creds := credential.split("/")) or len(split_creds) != 5:
             raise AuthorizationQueryParametersError(
                 'Error parsing the X-Amz-Credential parameter; the Credential is mal-formed; expecting "<YOUR-AKID>/YYYYMMDD/REGION/SERVICE/aws4_request".',
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
             )
 
         return split_creds[2]
@@ -772,13 +755,12 @@ def validate_post_policy(
     :return: None
     """
     if not request_form.get("key"):
-        ex: InvalidArgument = _create_invalid_argument_exc(
-            message="Bucket POST must contain a field named 'key'.  If it is specified, please check the order of the fields.",
-            name="key",
-            value="",
-            host_id=FAKE_HOST_ID,
+        raise InvalidArgument(
+            "Bucket POST must contain a field named 'key'.  If it is specified, please check the order of the fields.",
+            ArgumentName="key",
+            ArgumentValue="",
+            HostId=S3_HOST_ID,
         )
-        raise ex
 
     form_dict = {k.lower(): v for k, v in request_form.items()}
 
@@ -793,7 +775,7 @@ def validate_post_policy(
 
     if not is_v2 and not is_v4:
         ex: AccessDenied = AccessDenied("Access Denied")
-        ex.HostId = FAKE_HOST_ID
+        ex.HostId = S3_HOST_ID
         raise ex
 
     try:
@@ -812,7 +794,7 @@ def validate_post_policy(
     if expiration := policy_decoded.get("expiration"):
         if is_expired(_parse_policy_expiration_date(expiration)):
             ex: AccessDenied = AccessDenied("Invalid according to Policy: Policy expired.")
-            ex.HostId = FAKE_HOST_ID
+            ex.HostId = S3_HOST_ID
             raise ex
 
     # TODO: validate the signature
@@ -834,7 +816,7 @@ def validate_post_policy(
             str_condition = str(condition).replace("'", '"')
             raise AccessDenied(
                 f"Invalid according to Policy: Policy Condition failed: {str_condition}",
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
             )
 
 
@@ -887,7 +869,7 @@ def _verify_condition(condition: list | dict, form: dict, additional_policy_meta
                     "Your proposed upload exceeds the maximum allowed size",
                     ProposedSize=size,
                     MaxSizeAllowed=end,
-                    HostId=FAKE_HOST_ID,
+                    HostId=S3_HOST_ID,
                 )
             else:
                 return True
@@ -932,13 +914,12 @@ def _is_match_with_signature_fields(
                 if argument_name == "Awsaccesskeyid":
                     argument_name = "AWSAccessKeyId"
 
-                ex: InvalidArgument = _create_invalid_argument_exc(
-                    message=f"Bucket POST must contain a field named '{argument_name}'.  If it is specified, please check the order of the fields.",
-                    name=argument_name,
-                    value="",
-                    host_id=FAKE_HOST_ID,
+                raise InvalidArgument(
+                    f"Bucket POST must contain a field named '{argument_name}'.  If it is specified, please check the order of the fields.",
+                    ArgumentName=argument_name,
+                    ArgumentValue="",
+                    HostId=S3_HOST_ID,
                 )
-                raise ex
 
         return True
     return False

localstack/services/s3/provider.py

@@ -1,4 +1,5 @@
 import base64
+import contextlib
 import copy
 import datetime
 import json
@@ -8,6 +9,7 @@ from collections import defaultdict
 from inspect import signature
 from io import BytesIO
 from operator import itemgetter
+from threading import RLock
 from typing import IO
 from urllib import parse as urlparse
 from zoneinfo import ZoneInfo
@@ -23,6 +25,7 @@ from localstack.aws.api.s3 import (
     AccountId,
     AnalyticsConfiguration,
     AnalyticsId,
+    AuthorizationHeaderMalformed,
     BadDigest,
     Body,
     Bucket,
@@ -235,6 +238,7 @@ from localstack.services.s3.constants import (
     ARCHIVES_STORAGE_CLASSES,
     CHECKSUM_ALGORITHMS,
     DEFAULT_BUCKET_ENCRYPTION,
+    S3_HOST_ID,
 )
 from localstack.services.s3.cors import S3CorsHandler, s3_cors_request_handler
 from localstack.services.s3.exceptions import (
@@ -277,6 +281,7 @@ from localstack.services.s3.utils import (
     get_canned_acl,
     get_class_attrs_from_spec_class,
     get_failed_precondition_copy_source,
+    get_failed_upload_part_copy_source_preconditions,
     get_full_default_bucket_location,
     get_kms_key_arn,
     get_lifecycle_rule_from_object,
@@ -337,6 +342,8 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         self._storage_backend = storage_backend or EphemeralS3ObjectStore(DEFAULT_S3_TMP_DIR)
         self._notification_dispatcher = NotificationDispatcher()
         self._cors_handler = S3CorsHandler(BucketCorsIndex())
+        # TODO: add lock for keys for PutObject, only way to support precondition writes for versioned buckets
+        self._preconditions_locks = defaultdict(lambda: defaultdict(RLock))
 
         # runtime cache of Lifecycle Expiration headers, as they need to be calculated everytime we fetch an object
         # in case the rules have changed
@@ -381,7 +388,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         """
         if s3_bucket.notification_configuration:
             if not s3_notif_ctx:
-                s3_notif_ctx = S3EventNotificationContext.from_request_context_native(
+                s3_notif_ctx = S3EventNotificationContext.from_request_context(
                     context,
                     s3_bucket=s3_bucket,
                     s3_object=s3_object,
@@ -469,6 +476,16 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         context: RequestContext,
         request: CreateBucketRequest,
     ) -> CreateBucketOutput:
+        if context.region == "aws-global":
+            # TODO: extend this logic to probably all the provider, and maybe all services. S3 is the most impacted
+            #  right now so this will help users to properly set a region in their config
+            # See the `TestS3.test_create_bucket_aws_global` test
+            raise AuthorizationHeaderMalformed(
+                f"The authorization header is malformed; the region 'aws-global' is wrong; expecting '{AWS_REGION_US_EAST_1}'",
+                HostId=S3_HOST_ID,
+                Region=AWS_REGION_US_EAST_1,
+            )
+
         bucket_name = request["Bucket"]
 
         if not is_bucket_name_valid(bucket_name):
@@ -577,6 +594,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         store.global_bucket_map.pop(bucket)
         self._cors_handler.invalidate_cache()
         self._expiration_cache.pop(bucket, None)
+        self._preconditions_locks.pop(bucket, None)
         # clean up the storage backend
         self._storage_backend.delete_bucket(bucket)
 
@@ -636,6 +654,16 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         expected_bucket_owner: AccountId = None,
         **kwargs,
     ) -> HeadBucketOutput:
+        if context.region == "aws-global":
+            # TODO: extend this logic to probably all the provider, and maybe all services. S3 is the most impacted
+            #  right now so this will help users to properly set a region in their config
+            # See the `TestS3.test_create_bucket_aws_global` test
+            raise AuthorizationHeaderMalformed(
+                f"The authorization header is malformed; the region 'aws-global' is wrong; expecting '{AWS_REGION_US_EAST_1}'",
+                HostId=S3_HOST_ID,
+                Region=AWS_REGION_US_EAST_1,
+            )
+
         store = self.get_store(context.account_id, context.region)
         if not (s3_bucket := store.buckets.get(bucket)):
             if not (account_id := store.global_bucket_map.get(bucket)):
@@ -727,6 +755,12 @@ class S3Provider(S3Api, ServiceLifecycleHook):
             system_metadata["ContentType"] = "binary/octet-stream"
 
         version_id = generate_version_id(s3_bucket.versioning_status)
+        if version_id != "null":
+            # if we are in a versioned bucket, we need to lock around the full key (all the versions)
+            # because object versions have locks per version
+            precondition_lock = self._preconditions_locks[bucket_name][key]
+        else:
+            precondition_lock = contextlib.nullcontext()
 
         etag_content_md5 = ""
         if content_md5 := request.get("ContentMD5"):
@@ -809,7 +843,10 @@ class S3Provider(S3Api, ServiceLifecycleHook):
                 if encodings:
                     s3_object.system_metadata["ContentEncoding"] = ",".join(encodings)
 
-        with self._storage_backend.open(bucket_name, s3_object, mode="w") as s3_stored_object:
+        with (
+            precondition_lock,
+            self._storage_backend.open(bucket_name, s3_object, mode="w") as s3_stored_object,
+        ):
             # as we are inside the lock here, if multiple concurrent requests happen for the same object, it's the first
             # one to finish to succeed, and subsequent will raise exceptions. Once the first write finishes, we're
             # opening the lock and other requests can check this condition
@@ -1248,7 +1285,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
             delete_marker_id = generate_version_id(s3_bucket.versioning_status)
             delete_marker = S3DeleteMarker(key=key, version_id=delete_marker_id)
             s3_bucket.objects.set(key, delete_marker)
-            s3_notif_ctx = S3EventNotificationContext.from_request_context_native(
+            s3_notif_ctx = S3EventNotificationContext.from_request_context(
                 context,
                 s3_bucket=s3_bucket,
                 s3_object=delete_marker,
@@ -1281,6 +1318,10 @@ class S3Provider(S3Api, ServiceLifecycleHook):
             store.TAGS.tags.pop(get_unique_key_id(bucket, key, version_id), None)
         self._notify(context, s3_bucket=s3_bucket, s3_object=s3_object)
 
+        if key not in s3_bucket.objects:
+            # we clean up keys that do not have any object versions in them anymore
+            self._preconditions_locks[bucket].pop(key, None)
+
         return response
 
     def delete_objects(
@@ -1314,6 +1355,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         errors = []
 
         to_remove = []
+        versioned_keys = set()
         for to_delete_object in objects:
             object_key = to_delete_object.get("Key")
             version_id = to_delete_object.get("VersionId")
@@ -1351,7 +1393,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
                 delete_marker_id = generate_version_id(s3_bucket.versioning_status)
                 delete_marker = S3DeleteMarker(key=object_key, version_id=delete_marker_id)
                 s3_bucket.objects.set(object_key, delete_marker)
-                s3_notif_ctx = S3EventNotificationContext.from_request_context_native(
+                s3_notif_ctx = S3EventNotificationContext.from_request_context(
                     context,
                     s3_bucket=s3_bucket,
                     s3_object=delete_marker,
@@ -1394,6 +1436,8 @@ class S3Provider(S3Api, ServiceLifecycleHook):
                 continue
 
             s3_bucket.objects.pop(object_key=object_key, version_id=version_id)
+            versioned_keys.add(object_key)
+
             if not quiet:
                 deleted_object = DeletedObject(
                     Key=object_key,
@@ -1411,6 +1455,11 @@ class S3Provider(S3Api, ServiceLifecycleHook):
             self._notify(context, s3_bucket=s3_bucket, s3_object=found_object)
             store.TAGS.tags.pop(get_unique_key_id(bucket, object_key, version_id), None)
 
+        for versioned_key in versioned_keys:
+            # we clean up keys that do not have any object versions in them anymore
+            if versioned_key not in s3_bucket.objects:
+                self._preconditions_locks[bucket].pop(versioned_key, None)
+
         # TODO: request charged
         self._storage_backend.remove(bucket, to_remove)
         response: DeleteObjectsOutput = {}
@@ -2179,7 +2228,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         # TODO: add a way to transition from ongoing-request=true to false? for now it is instant
         s3_object.restore = f'ongoing-request="false", expiry-date="{restore_expiration_date}"'
 
-        s3_notif_ctx_initiated = S3EventNotificationContext.from_request_context_native(
+        s3_notif_ctx_initiated = S3EventNotificationContext.from_request_context(
             context,
             s3_bucket=s3_bucket,
             s3_object=s3_object,
@@ -2483,10 +2532,6 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         request: UploadPartCopyRequest,
     ) -> UploadPartCopyOutput:
         # TODO: handle following parameters:
-        #  CopySourceIfMatch: Optional[CopySourceIfMatch]
-        #  CopySourceIfModifiedSince: Optional[CopySourceIfModifiedSince]
-        #  CopySourceIfNoneMatch: Optional[CopySourceIfNoneMatch]
-        #  CopySourceIfUnmodifiedSince: Optional[CopySourceIfUnmodifiedSince]
         #  SSECustomerAlgorithm: Optional[SSECustomerAlgorithm]
         #  SSECustomerKey: Optional[SSECustomerKey]
         #  SSECustomerKeyMD5: Optional[SSECustomerKeyMD5]
@@ -2549,6 +2594,14 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         if source_range:
             range_data = parse_copy_source_range_header(source_range, src_s3_object.size)
 
+        if precondition := get_failed_upload_part_copy_source_preconditions(
+            request, src_s3_object.last_modified, src_s3_object.etag
+        ):
+            raise PreconditionFailed(
+                "At least one of the pre-conditions you specified did not hold",
+                Condition=precondition,
+            )
+
         s3_part = S3Part(part_number=part_number)
         if s3_multipart.checksum_algorithm:
             s3_part.checksum_algorithm = s3_multipart.checksum_algorithm
@@ -2622,6 +2675,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
             )
 
         elif if_none_match:
+            # TODO: improve concurrency mechanism for `if_none_match` and `if_match`
             if if_none_match != "*":
                 raise NotImplementedException(
                     "A header you provided implies functionality that is not implemented",
@@ -3166,11 +3220,12 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         if "TagSet" not in tagging:
             raise MalformedXML()
 
-        validate_tag_set(tagging["TagSet"], type_set="bucket")
+        tag_set = tagging["TagSet"] or []
+        validate_tag_set(tag_set, type_set="bucket")
 
         # remove the previous tags before setting the new ones, it overwrites the whole TagSet
         store.TAGS.tags.pop(s3_bucket.bucket_arn, None)
-        store.TAGS.tag_resource(s3_bucket.bucket_arn, tags=tagging["TagSet"])
+        store.TAGS.tag_resource(s3_bucket.bucket_arn, tags=tag_set)
 
     def get_bucket_tagging(
         self,
@@ -3220,12 +3275,13 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         if "TagSet" not in tagging:
             raise MalformedXML()
 
-        validate_tag_set(tagging["TagSet"], type_set="object")
+        tag_set = tagging["TagSet"] or []
+        validate_tag_set(tag_set, type_set="object")
 
         key_id = get_unique_key_id(bucket, key, s3_object.version_id)
         # remove the previous tags before setting the new ones, it overwrites the whole TagSet
         store.TAGS.tags.pop(key_id, None)
-        store.TAGS.tag_resource(key_id, tags=tagging["TagSet"])
+        store.TAGS.tag_resource(key_id, tags=tag_set)
         response = PutObjectTaggingOutput()
         if s3_object.version_id:
             response["VersionId"] = s3_object.version_id
@@ -3291,7 +3347,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
 
         s3_object = s3_bucket.get_object(key=key, version_id=version_id, http_method="DELETE")
 
-        store.TAGS.tags.pop(get_unique_key_id(bucket, key, version_id), None)
+        store.TAGS.tags.pop(get_unique_key_id(bucket, key, s3_object.version_id), None)
         response = DeleteObjectTaggingOutput()
         if s3_object.version_id:
             response["VersionId"] = s3_object.version_id
@@ -3852,7 +3908,9 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         if retention and retention["RetainUntilDate"] < datetime.datetime.now(datetime.UTC):
             # weirdly, this date is format as following: Tue Dec 31 16:00:00 PST 2019
             # it contains the timezone as PST, even if you target a bucket in Europe or Asia
-            pst_datetime = retention["RetainUntilDate"].astimezone(tz=ZoneInfo("US/Pacific"))
+            pst_datetime = retention["RetainUntilDate"].astimezone(
+                tz=ZoneInfo("America/Los_Angeles")
+            )
             raise InvalidArgument(
                 "The retain until date must be in the future!",
                 ArgumentName="RetainUntilDate",

localstack/services/s3/utils.py

@@ -7,6 +7,7 @@ import logging
 import re
 import time
 import zlib
+from collections.abc import Mapping
 from enum import StrEnum
 from secrets import token_bytes
 from typing import Any, Literal, NamedTuple, Protocol
@@ -50,6 +51,7 @@ from localstack.aws.api.s3 import (
     SSEKMSKeyId,
     TaggingHeader,
     TagSet,
+    UploadPartCopyRequest,
     UploadPartRequest,
 )
 from localstack.aws.api.s3 import Type as GranteeType
@@ -62,7 +64,6 @@ from localstack.services.s3.constants import (
     AUTHENTICATED_USERS_ACL_GRANTEE,
     CHECKSUM_ALGORITHMS,
     LOG_DELIVERY_ACL_GRANTEE,
-    S3_VIRTUAL_HOST_FORWARDED_HEADER,
     SIGNATURE_V2_PARAMS,
     SIGNATURE_V4_PARAMS,
     SYSTEM_METADATA_SETTABLE_HEADERS,
@@ -403,6 +404,45 @@ def parse_copy_source_range_header(copy_source_range: str, object_size: int) ->
     )
 
 
+def get_failed_upload_part_copy_source_preconditions(
+    request: UploadPartCopyRequest, last_modified: datetime.datetime, etag: ETag
+) -> str | None:
+    """
+    Utility which parses the conditions from a S3 UploadPartCopy request.
+    Note: The order in which these conditions are checked if used in conjunction matters
+
+    :param UploadPartCopyRequest request: The S3 UploadPartCopy request.
+    :param datetime last_modified: The time the source object was last modified.
+    :param ETag etag: The ETag of the source object.
+
+    :returns: The name of the failed precondition.
+    """
+    if_match = request.get("CopySourceIfMatch")
+    if_none_match = request.get("CopySourceIfNoneMatch")
+    if_unmodified_since = request.get("CopySourceIfUnmodifiedSince")
+    if_modified_since = request.get("CopySourceIfModifiedSince")
+
+    if if_match:
+        if if_match.strip('"') != etag.strip('"'):
+            return "x-amz-copy-source-If-Match"
+        if if_modified_since and if_modified_since > last_modified:
+            return "x-amz-copy-source-If-Modified-Since"
+        # CopySourceIfMatch is unaffected by CopySourceIfUnmodifiedSince so return early
+        if if_unmodified_since:
+            return None
+
+    if if_unmodified_since and if_unmodified_since < last_modified:
+        return "x-amz-copy-source-If-Unmodified-Since"
+
+    if if_none_match and if_none_match.strip('"') == etag.strip('"'):
+        return "x-amz-copy-source-If-None-Match"
+
+    if if_modified_since and last_modified < if_modified_since < datetime.datetime.now(
+        tz=_gmt_zone_info
+    ):
+        return "x-amz-copy-source-If-Modified-Since"
+
+
 def get_full_default_bucket_location(bucket_name: BucketName) -> str:
     host_definition = localstack_host()
     if host_definition.host != constants.LOCALHOST_HOSTNAME:
@@ -482,7 +522,7 @@ def is_valid_canonical_id(canonical_id: str) -> bool:
         return False
 
 
-def uses_host_addressing(headers: dict[str, str]) -> str | None:
+def uses_host_addressing(headers: Mapping[str, str]) -> str | None:
     """
     Determines if the request is targeting S3 with virtual host addressing
     :param headers: the request headers
@@ -511,15 +551,6 @@ def get_system_metadata_from_request(request: dict) -> Metadata:
     return metadata
 
 
-def forwarded_from_virtual_host_addressed_request(headers: dict[str, str]) -> bool:
-    """
-    Determines if the request was forwarded from a v-host addressing style into a path one
-    """
-    # we can assume that the host header we are receiving here is actually the header we originally received
-    # from the client (because the edge service is forwarding the request in memory)
-    return S3_VIRTUAL_HOST_FORWARDED_HEADER in headers
-
-
 def extract_bucket_name_and_key_from_headers_and_path(
     headers: dict[str, str], path: str
 ) -> tuple[str | None, str | None]:
@@ -574,17 +605,6 @@ def get_bucket_and_key_from_presign_url(presign_url: str) -> tuple[str, str]:
     return bucket, key
 
 
-def _create_invalid_argument_exc(
-    message: str | None, name: str, value: str, host_id: str = None
-) -> InvalidArgument:
-    ex = InvalidArgument(message)
-    ex.ArgumentName = name
-    ex.ArgumentValue = value
-    if host_id:
-        ex.HostId = host_id
-    return ex
-
-
 def capitalize_header_name_from_snake_case(header_name: str) -> str:
     return "-".join([part.capitalize() for part in header_name.split("-")])